JP4615708B2 - Key authentication method - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to security of a communication system, and more particularly, to a method (procedure) for performing validation (validation) of parameters and keys in such a system.
[0002]
[Prior art]
Information is transmitted / received between a pair of communicators using a secure data communication system. At least some of the information exchanged is encrypted by the sender performing a predetermined mathematical operation. Then, the receiver performs a complementary mathematical operation corresponding to the mathematical operation described above, and decrypts the code. In a public key or symmetric key system, it is necessary for communicators to know some parameters in advance. For example, various schemes and protocols have been devised so far, and validation (authentication) of the sender's public key and identity is performed. The security or validity of these systems depends on whether the signature is valid, the system parameters (if any) are valid, the public key is valid, and the signature is confirmed ( It is ensured only when verified. In addition, the security of an asymmetric system is ensured when the system parameters (if any) are valid, the encrypted public key is valid, the symmetric key is formatted as specified, and symmetric Only when the validity of the format is checked by type key recovery checks.
[0003]
On the other hand, the security of the key agreement protocol is ensured when the system parameters (if any) are valid, the key agreement public key is valid, and the shared secret and symmetric key are generated as specified in the standard. Limited to In all of the above, it is assumed that a public key or a symmetric key, that is, a shared secret, is generated as specified by the protocol method and is valid.
[0004]
[Problems to be solved by the invention]
However, problems arise if these parameters are fake or somehow flawed.
[0005]
The following example explains what a defect in one or more parameters of a public key cryptosystem means. For example, consider the case where a sender's authenticity is indicated using a digital signature. When receiver A receives a public key with a certificate from sender B, A confirms the certificate. Next, when B sends a signed message to A, A can confirm the signature and determine that further communication is possible. However, in this case, if B intentionally falsifies the public key, the recipient A cannot identify this invalid public key. Similarly, participant C generates a key pair and subsequently receives a public key certificate, after which participant C assumes that the public key contained in the certificate is valid, Consider the case where a certificate and subsequent signed message is sent to B. Participant B can determine C's key information. As can be seen from both cases above, problems can arise due to the use of unauthenticated parameters when verifying the signature.
[0006]
In the key transmission protocol, the communicator A may accidentally transmit a symmetric key to a different partner. For example, when communicator A receives a public key with a certificate from sender B, A confirms the certificate and is encrypted with a symmetric key and a symmetric key encrypted with the public key. Send message to B. Thereby, A is approved. Conversely, one of the communicators, C, generates a key pair, obtains a public key certificate, and transmits it to A. In this case, A encrypts the symmetric key and message using the public key and sends it back to C. Therefore, in this case, C is approved.
[0007]
In the key agreement protocol, one of the communicators, for example, receives a public key with a certificate from B and transmits the public key with a certificate of A to B. A and B each confirm the certificate of the other party and have symmetric keys that match each other. In this example, A is approved twice.
[0008]
As can be seen from the above examples, even if the security of the public key system is ensured, the security of the system largely depends on one or both of the communicators, and the requested predetermined key is actually used. Rely on being a predetermined key for a particular algorithm. Typically, when a recipient receives a bit string, he or she assumes that the bit string actually represents the required key, which is particularly problematic in symmetric key systems. That is, in a symmetric key system, typically, any bit string having a correct size is interpreted as a key. Even if one bit in this bit string is different from the predetermined key, it is interpreted as another key, so that an appropriate cryptographic operation can be performed unless the key is wrong.
[0009]
In an asymmetric secret key system, the owner of the secret key knows everything about the secret key and can verify the validity of it. However, when a third party sends a public key to the owner's system, whether the received key meets the arithmetic requirements of the public key or an operation (operation using the requested public key). ) Raises a question as to whether or not the encryption operation will ensure confidentiality. If the owner's system doesn't test, it's definitely not known, so only the owner knows.
[0010]
As can be seen from the above, the establishment of a key may not be secure. According to a paper by Lim and Lee published in Crypto '97, the above problem is that the other party's secret when using a false public key with an incorrect order in the Diffie-Hellman method It was pointed out with an example that information about keys can be obtained. In the RSA or Rabin system, the public key and the secret key are set as a function of a large prime number, thereby ensuring security from the difficulty of factoring such a large number. These keys are generated from the product of two arbitrarily large prime numbers. However, if n is a prime number and not a product of two prime numbers, phi (n) = n−1 holds, so that anyone can determine d from a fake “public key” (n, e). it can. These can be said to be problems caused by the fact that the public key user cannot verify the validity of the arithmetic attributes that match the algorithm requirements for the requested public key.
[0011]
An object of the present invention is to perform improved validity verification in a communication system having a security function. Furthermore, an object of the present invention is to make it possible for anyone to perform such validation at any time using only public information.
[0012]
[Means for Solving the Problems]
According to the digital signature validity verification method in the public key communication system of the present invention, the method includes a step of confirming that the arithmetic attribute of the public key matches the system algorithm, and a step of confirming the digital signature.
[0013]
Furthermore, a step of checking system parameters is provided.
[0014]
In addition, information indicating that the validation of whether the requested public key is arithmetically matched with the algorithm has been performed, and if appropriate, the number of validations performed. And a step of including the information to be included in the certificate information.
[0015]
DETAILED DESCRIPTION OF THE INVENTION
As shown in FIG. 1, the data communication system 10 includes a set of communicators, which are a sender 12 and a receiver 14, and are connected to each other by a communication channel 16. The sender 12 and the receiver 14 have encryption units 18 and 20, respectively, that process digital information in preparation for transmission / reception via the communication channel 16. The data communication system 10 may further include a certificate authority (CA) 22.
[0016]
Hereinafter, a case where a public key algorithm is used will be described as an embodiment of the present invention. The key agreement has the following six routines. That is, system parameter generation, system parameter validation, key pair creation, public key validation, shared secret derivation, and symmetric key derivation. In the key verification step, anyone can verify the validity of the public key at any time using only public information. These routines verify the range and order of the public key. If the validity of the public key is verified, there may be a logically corresponding private key, but it is not proved that it actually exists.
[0017]
The Elliptic Curve Digital Signature Algorithm (ECDSA) also includes six routines. That is, system parameter generation, system parameter validity verification, key pair generation, public key validity verification, signature generation, and signature verification. On the other hand, the first type of DSA includes four routines: system parameter generation, key pair generation, signature generation, and signature verification. More recent DSAs include five routines: system parameter generation, (implicit) system parameter validation, key pair generation, signature generation, and signature verification. In order to perform key validation, it is assumed that the DSA parameters p, q, and g have already been validated. The secret key is x and the public key y is y = g ^x mod p. Then, the validity of the range of y is verified by confirming that 1 <y <p, and the order of y is y ^q Validate by checking that mod p = 1. These validations confirm that a requested DSA public key meets the arithmetic requirements for such a key. These validations can be performed at any time by using only public information.
[0018]
An RSA or Rabin signature algorithm generally includes three routines: key pair generation, signature generation, and signature verification. The verification of the RSA public key (n, e) includes the following three steps. That is, the validity of e is first verified, then the validity of n is verified, and then e and n are verified to be consistent with each other. In order to verify the validity of the public index e, the index e is 2 ≦ e ≦ 2 ^(k-160) (K is the modulus n bit length). This requirement that the range of the index e should be in the specified range as described above in particular makes the verification here feasible. If e> 2, e must be an odd number. Furthermore, it is known that in the case of a closed network, the public index e should satisfy all other criteria. That is, for example, e is a determination criterion that e must be 3, 65537, or any number larger than 65537. These verifications may be performed to further confirm the validity of the key. These verifications may be included as part of the specification of the RSA public key partial validation routine. Although the verification of the above-mentioned index e seems to be simple, it can be confirmed that e is selected before d in which selection is attempted in the RSA / Rabin algorithm. Because this verification shows that de = 1 mod (lcm (p−1, q−1)), and e has at least 160 zeros representing the number of digits compared to modulus n, which This is because it cannot be realized if it is selected first.
[0019]
In order to verify the validity of the modulus n, the magnitude of n is obtained. It is known that n must contain exactly (1024 + 128 s) bits (where s = 0, 1, 2, 3,... etc.). This can be easily verified and can be part of partial key authentication. Since modulus n is the product of two prime numbers and all prime numbers greater than 2 are odd numbers, even if further validity verification is performed on modulus n by determining whether modulus n is odd or not Good. Therefore, since the product of the odd numbers is an odd number, n must be an odd number. Furthermore, it has been found that when e = 2 in the Rabin algorithm, p = 3 mod n and q = 7 mod 8. Therefore, n = pq = 21 mod 8 = 5 mod 8 must be satisfied. This can be verified by confirming that n = 5 mod 8 when e = 2. Furthermore, it has been found that n must not be a perfect power. From this, it is clear that n is composed of two different prime factors, and the validity can be verified by a simple test. The above verification is described in "Handbook of Applied Cryptography" by Menezes, van Oorschot, and Vanstone.
[0020]
It is also known that n must be a composite number. Therefore, when n is a prime number, reverse conversion can be easily performed, and security is not ensured at all. Verification of whether n is a composite number can be realized by performing Miller-Rabin probable prime test assuming that n is actually proved to be a composite number. . Further tests for verifying modulus n are based on: In other words, n is the product of two large prime numbers, and it is difficult to factorize, so it is known that attempts to factor in a simple manner will not succeed. For example: GCD (n, i) may be calculated for all prime numbers from a small odd prime number to a certain size as i, for example, the first 50000 (50K) odd prime numbers.
[0021]
From the above two verifications, it can be seen from the former that at least one factor must be less than half the modulus bits, and from the latter, each factor must be greater than the maximum prime number verified. I understand. Further, there are only a limited number of potential factors (p, q, r,...) Depending on the maximum prime number verified above.
[0022]
Combining the above verification results in a synergistic effect. The purpose of the verification is to greatly reduce the freedom of action that the enemy can take. Even if the attack is nearly impossible, performing partial key authentication can make the attack even more difficult, preferably making the attack impossible or at least uneconomical.
[0023]
Furthermore, since the values of p and q must not be too close, when verifying modulus n, we assume that they are close values and attempt to factor n. Let the square root of n be the initial expected values of p and q. Decrease p while increasing q to determine if n can be factored to a predetermined limit. Further, since it is known that prime numbers should not be repeated in the RSA modulus set, GCD (ni, nj) is calculated for a certain set of RSAs n1 and n2, and all the calculation results are 1 Can be confirmed.
[0024]
Although there are limitations to the offline verification described above, these verifications can be extended because the parameter owner knows certain information, such as factorization of n. Thus, the owner may be used as an online oracle. By identifying that the answer to the question made about this oracle is incorrect, anyone can assert that the public key is invalid.
[0025]
According to Vanstone et al., "Handbook of Applied Cryptography", the owner can calculate (square root mod n), but not others. The verifier determines the Jacobian code (Jacobi Symbol) of (arbitrary value mod n) as 1 or −1, and determines that the half is 1 and the other half is −1. In the case of 1, it is divided again in half depending on whether the number is a square number or not. The verifier squares (a number mod n). The Jacobian code for the square number is always 1.
[0026]
The verifier selects one of the arbitrary elements r whose known square number u and Jacobian code are 1. The owner is then asked the two types of elements, "Is this a square number?" The owner will answer yes or no. If u is selected, the modulus will be invalid if the owner does not answer yes. If r is selected, the key law becomes invalid if the number of times the owner answers yes and no is about half each.
[0027]
By repeating this many times, the reliability increases. If the verifier asks the owner about all squares, the owner must always answer yes. If the verifier asks the owner about any element whose Jacobian code is all 1, the owner must answer yes to half and no to half. The owner of the false key only knows that at least half of the answers are yes. However, if you are the owner of the secret key, you know the factorization of n and know the squares, so if you lie about pseudo-squares that they are squares, just trick the verifier. Good. The verifier need only ask “is this a square number” using a known pseudo-square number? Usually, without knowing the factorization of a law, it is impossible to determine that a number is a pseudosquare number of the law. However, the owner must answer the above question that some of the numbers with Jacobian being 1 are pseudo-square numbers. The verifier can generate any known pseudo-square number by multiplying the known pseudo-square number by (square number mod n). The verifier knows that the resulting value is a pseudosquare number. When you ask the owner about this third type of number t (known pseudosquare number), in this case, if the owner lies that some pseudosquares are square numbers, Known to verifiers.
[0028]
To verify both e and n, GCD (e, p-1) = 1 and GCD (e, q-1) = 1. If e is odd, we know that for integers x and p, p must be a number not represented in the form of xe + 1, and for integer y, q must be a number not represented in the form of ye + 1. ing. If both p and q are invalid, n is xye ² It is not expressed in the form of + xe + ye + 1, and n ≠ 1 mod e must hold.
[0029]
Another method for verifying both e and n is described below. It has been found that GCD (e, phi (n)) must be 1. Since it is known that phi (n) = (p−1) (q−1), since there are two equations and two unknowns, the verifier can factor n.
[0030]
Assume that other requirements for key pairs are met. The reason why GCD (e, phi (n)) = 1 needs to be satisfied is to ensure that the calculation using e is a function corresponding to 1: 1 (reverse conversion possible). Otherwise, the number of operations using e will be 1: 1. If there are many operations using e with a one-to-one correspondence, d (inverse of e) does not exist, or at least normally cannot be derived. The owner must present evidence that d actually exists. However, the above question should not be asked under the control of the private key owner. That is, a certificate request (self-signed certificate request) signed by the owner is not sufficient evidence.
[0031]
The challenger can also send several dummy messages to the owner who has requested approval to sign. The owner of the private key confirms that they are dummy messages, signs them, and sends them back to the challenger. This is an online probabilistic oracle test where d exists.
[0032]
Therefore, anyone can perform offline verification at any time. Anyone can perform online verification if the owner is online. The owner can perform offline and online verification to confirm that his private key is valid. The CA performs on-line verification and tells others what the validity of the public key certificate has been verified.
[0033]
The system parameter in ECDSA is the field size q = p or 2 ^m It is. F _q is generated so that (a, b) is generated by an optional seed and the degree of the curve is hn by (a, b). , A singular point P on the curve, n which is a large prime order of P, and a cofactor h. The field size EC and point P defined by (a, b) are the main parameters.
[0034]
It is important to check not only the EC system parameters but also the EC public key. For example, assuming an elliptic curve public key Q, Q is on E. If a prime order curve is used in key matching, it is not necessary to check the order of Q. This is because if Q is on the curve, it is certain that it has the correct order. It is important to check that Q is on the curve. This is because if Q is not on the curve, the false key reveals the secret key a when calculating aQ. It is possible to confirm that the public key is on the curve by substituting it into the equation of the curve or performing verification.
[0035]
From the above, by performing key authentication, exposure to an attack is suppressed, detection of an unexpected error is helped, and a service worth performing by CA is provided. As will be appreciated by those skilled in the art, the techniques and methods described above can be implemented in any suitable processor that performs the steps of the present invention. In addition, the various methods described above can be conveniently performed using a general-purpose computer and selectively activated or reconfigured by software, as will be appreciated by those skilled in the art. May be implemented in hardware, firmware, or a more specialized device configured to perform each necessary step.
[0036]
【The invention's effect】
According to the present invention, improved validity verification can be performed in a communication system having a security function. Furthermore, according to the present invention, it is possible for anyone to perform such validity verification using only public information at any time.
[Brief description of the drawings]
FIG. 1 is a schematic diagram of a communication system.

Claims (7)

In a method for verifying the validity of a public key transmitted to a communication partner in a data communication system, wherein the communication partner has an encryption unit,
a) The communication partner is generated from a corresponding secret key according to an elliptic curve encryption method according to a predetermined arithmetic algorithm and a defined system parameter including an elliptic curve E defined on a finite field. Obtaining an elliptic curve public key Q;
b) confirming that the public key is a point located on the elliptic curve E using the encryption unit;
c) performing an encryption operation using the public key in the encryption unit. The confirmation that the point is on the elliptic curve E is that the encryption unit substitutes the coordinates of the point into the definition equation of the elliptic curve E and confirms that the coordinates satisfy the definition equation. The method of claim 1, wherein the method is performed by:   3. The method according to claim 1, wherein the elliptic curve E is a prime order elliptic curve. 4. A method according to any one of claims 1 to 3, wherein the encryption operation is performed as part of a key agreement protocol.   The elliptic curve encryption method is an elliptic curve digital signature algorithm (ECDSA), and the encryption operation is confirmation of a signature generated according to an elliptic curve digital signature algorithm (ECDSA). 4. The method according to any one of items 3 to 3.   4. The method according to claim 1, wherein the communication partner is a certification authority. The authentication authority, the public key is further seen contains a step to include in the certificate an indication that it is a confirmed, in claim 6 said indicator, characterized in that it is indicative of the verification of the validity The method described.

Images